The ZeroAccess Botnet Revealed

Computer Forensics Boot Camp

A course in one of the fastest-growing careers in tech!

Skillset

There has been a large spread of Botnet-related threats in the web world recently. Now when we talk about botnets, it is basically a collection of code linked to each other through some communication mechanism through which it may get commands to perform certain actions. These may be also known as a collection of bots/zombies that are controlled a central server through commands. A very practical example is in case of distributed denial of service attacks in which a collection of bots (botnet) attack a particular IP address or a client and hamper its services. A recent article was covered in my article on the Spamhaus Ddos Attack.

On similar lines, the ZeroAccess Botnet is a specialised Trojan horse that affects the Windows operating systems and downloads malware to an infected machine to form a botnet. Read about how we reverse-engineered the ZeroAccess trojan here. With reference to Symantec’s analysis of this Trojan, it is said to use an advanced rootkit to hide itself. To set up its own botnet system, this Trojan creates its own hidden file system, downloads more malware from the connected environment, and opens up a back door for access on the compromised system. The attacker is then able to perform actions as per his requirements and the victim’s system becomes a part of the botnet. The name ZeroAccess has been coined due to the fact that a string found in the kernel driver code points to the original project folder ZeroAccess. It is also code named max++ due to its capability of creating a kernel object __max++>

Click to Enlarge

In a recent report, FortiGuard Labs revealed ZeroAccess as the number one threat this quarter as reported by FortiGate devices worldwide. Now the attack vector of ZeroAccess was primarily focussed on Bitcoin mining. Bitcoin is an online digital currency, not managed by any government, that relies on an Internet-based network. It is being heavily used in the underground market for illegal activities such as drug trafficking, arms dealing, black hat hacking, etc. These Bitcoins are mined by unblocking blocks of data that produce a pattern when the Bitcoin hash algorithm is applied to that data. The miners use high-end machines with graphics card for GPU processing to unlock these mines. The machines, once set, can be allowed to run the algorithms endlessly and keep mining the Bitcoins. GPUs are more efficient in the mining applications than CPUs, so usually you would find multiple graphic cards attached with a high-end CPU which makes a deadly Bitcoin mining machine. A recent study by Bloomberg calculated $150,000 in power costs due to large consumption by these powerhouse mining machines.

Back to the ZeroAccess Botnet: It was originally founded in July 2011 and it has affected around 9 million systems. This botnet usually spreads around through a series of attack vectors such social engineering, where a user would be lured upon clicking a malicious executable. Now this malicious executable may be packed up as a keygen or named as well-known software. In both scenarios, a user gets compromised once he clicks the executable. The user may be compromised also through an advertising campaign that makes a user click a particular advertisement and in turn gets redirected to a malicious website. Its attack vectors further include a manual infection scheme in which a person is paid for installing a rootkit on a system in exchange for money. The rates vary from about $100 for every 1000 infections and are estimated to go up to $500. Another dangerous motive it had was to make money through the pay-per-click advertisement campaigns. This task was performed by downloading an application from the exploit kit or the command server and does web searches using this application for the specific advertisement. Once the advertisement is found, it clicks on the advertisement which gives revenue to the program user.

Kaspersky has recently reported that spammers have launched a fraudulent social engineering campaign, using Skype, that sends messages to contacts containing links of malicious websites. Once the system infects a system it uses the system’s processing power to mine Bitcoins.

Through a recent analysis, Kaspersky discovered this is Trojan.Win32.Jorik.IRCbot.xkt. As discovered by Symantec, the Trojan gets distributed using the Blackhole Exploit Toolkit and Bleeding Life Toolkit. The Blackhole toolkit is an exploit toolkit that has been recently in the news because of its large usage by the hackers. When a victim visits a site that has been infected by a malicious iframe, this iframe redirects the user to the Blackhole exploit server. Also when a user visits the Blackhole server website, the server gets activated to exploit the vulnerabilities on the user’s browser. Nowadays we have multiple applications on the user machine, such as Internet Explorer, Java, Adobe, and many more. These are often not updated and hence the toolkit easily exploits the client-side defenses. Symantec recently revealed a few vulnerabilities that the Blackhole and Bleeding Life toolkit exploited. These are:

Microsoft Windows Help and Support Center Trusted Document Whitelist Bypass Vulnerability (BID 40725)—The Microsoft Help and Support Center was prone to a trusted document bypass vulnerability that allowed remote untrusted attackers to access arbitrary help documents, which led to various attacks.

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462)—The Microsoft MDAC RDS.Dataspace ActiveX control was vulnerable to remote code execution. An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page.

This may be also in the form of a keygen/crack as discussed earlier for commercial software. The websites hosting these cracks often contain malware. We had recent news of the advertisement servers being infected with malicious code and, as such, the websites running their advertisement campaign in turn were affected. Once a user simply clicks on the executable of these toolkit servers, the dropper would silently suspend a part of Windows file protection (WFP) that handles the repair of protected Windows operating system files. Then this Trojan overwrites a system driver with its own kernel mode driver and loads it. The driver file is located alphabetically between %System%\Drivers\classpnp.sys and %System%\Drivers\win32k.sys is overwritten with the Trojan’s own code. The communication largely depends on peer-to-peer technology, making it possible for the authors to improve upon the Trojan and add functionality.

Here is an example attack vector from ZeroAccess, where a copy of the game Skyrim is made malicious by ZeroAccess. The installer was a NSIS archive. During the attack, a file was dropped at “%Profile%\Application Data\skyrimlauncher.exe“ and a screen showing the game installer appeared. Again in the background an encrypted 7zip file gets dropped and executed. These ZeroAccess droppers from exploit toolkits or malicious executables specially crafted to bypass antivirus detection. This technique is known as making the executable fully undetectable (FUD). The executable is tried and tested against different antivirus databases for evasion. These droppers have recently been using hardware breakpoints as part of its unpacking routine, which makes attaching a kernel debugger to the target system more challenging. An extremely cool feature of the ZeroAccess dropper is that a single dropper will itself install the malware depending on the architecture of operating system like 32 bit or 64 bit.

Here is an image of ZeroAccess botnet infections in USA as visualized in Google Earth posted by F-Secure on its blog.

Symantec published a security advisory for protection against the ZeroAccess Trojan. Users were asked strictly not to click on links that look fishy or advertisement popups claiming different prizes or other scenarios. They should not try to access cracks of copyrighted software that may be keygens for activating these cracked original softwares. The Trojan intelligently bypasses firewalls and makes a TCP connection on port 13620 with the command and control server. According to the advisory, it is advised to block access to these IP addresses through a firewall or on the router since the threat was observed to contact these IP addresses:

69.176.14.76

76.28.112.31

24.127.157.117

117.205.13.113

200.59.7.216

113.193.49.54

It was also found to contact the following NTP servers:

ntp2.usno.navy.mil

ntp.adc.am

chronos.cru.fr

wwv.nist.gov

clock.isc.org

time.windows.com

time2.one4vision.de

time.cerias.purdue.edu

clock.fihn.net

ntp.duckcorp.org

ntp.ucsd.edu

ntp1.arnes.si

ntp.crifo.org

tock.usask.ca

The ZeroAccess botnet is the first of the top five most prevalent pieces of botnet malware, followed by the Jeefo, Smoke, Mariposa, and Grum botnets.

Aditya Balapure is an information security researcher, consultant, author with expertise in the field of web application penetration testing and enterprise server security. Aditya has 3 years of practical experience in the field of information security. He has quite a few credentials to his name such as CEH, ECSA, MCP and a few international publications. His deep interest in vulnerability assessment and offensive penetration testing groups him among the white hats of the information security arena. Aditya Balapure is involved into many corporate trainings besides his constant hobby of open vulnerability disclosure.

Hello just wanted to give you a brief heads up and let you
know a few of the images aren’t loading correctly.
I’m not sure why but I think its a linking issue. I’ve tried it in
two different browsers and both show the same results.

Klikevil

This is by far the most technical writeup (browsing for nostalgia purposes) and detailed analysis of a large scale criminal botnet i have ever seen.

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam